https://community.splunk.com/t5/Splunk-Dev/Need-help-creating-an-external-lookup-with-Python/m-p/522824#M9354 <P>Hello,</P> <P data-unlink="true">I've read through the documentation on external lookup with python and read through a few posts, could use some guidance.&nbsp; What I am trying to do is use this <A href="https://raw.githubusercontent.com/corelight/pycommunityid/master/scripts/community-id" target="_self">python script</A>.&nbsp; Giving the script arguments <EM>protocol src_ip dest_ip src_port dest_port</EM>, gives you a calculated hash. Running it on its own works fine.&nbsp; This is what I've done so far:<BR /><BR />Python script added to:</P> <LI-CODE lang="markup">$SPLUNK_HOME/etc/apps/search/bin</LI-CODE> <P data-unlink="true">Added stanza to transforms.conf:</P> <LI-CODE lang="markup">[cid] external_cmd = community-id.py Protocol SourceIp DestinationIp SourcePort DestinationPort external_type = python fields_list = Protocol, SourceIp, DestinationIp, SourcePort, DestinationPort</LI-CODE> <P data-unlink="true">I've tried several examples of search commands that was in the documentation and what others have used, but haven't returned any results (errors).&nbsp; So im not really sure if I'm doing this correctly.&nbsp; I've noticed that some examples have their python scripts output to a .csv?&nbsp; is that necessary?&nbsp; should I approach this another way?</P> <P data-unlink="true">BLUF:&nbsp; I want to pass some fields into a python script to give me a calculated hash in a new field.</P> <P data-unlink="true">&nbsp;</P> <P data-unlink="true">&nbsp;</P> Tue, 06 Oct 2020 20:43:13 GMT andrewj84 2020-10-06T20:43:13Z https://community.splunk.com/t5/Splunk-Dev/Need-help-creating-an-external-lookup-with-Python/m-p/522824#M9354 <P>Hello,</P> <P data-unlink="true">I've read through the documentation on external lookup with python and read through a few posts, could use some guidance.&nbsp; What I am trying to do is use this <A href="https://raw.githubusercontent.com/corelight/pycommunityid/master/scripts/community-id" target="_self">python script</A>.&nbsp; Giving the script arguments <EM>protocol src_ip dest_ip src_port dest_port</EM>, gives you a calculated hash. Running it on its own works fine.&nbsp; This is what I've done so far:<BR /><BR />Python script added to:</P> <LI-CODE lang="markup">$SPLUNK_HOME/etc/apps/search/bin</LI-CODE> <P data-unlink="true">Added stanza to transforms.conf:</P> <LI-CODE lang="markup">[cid] external_cmd = community-id.py Protocol SourceIp DestinationIp SourcePort DestinationPort external_type = python fields_list = Protocol, SourceIp, DestinationIp, SourcePort, DestinationPort</LI-CODE> <P data-unlink="true">I've tried several examples of search commands that was in the documentation and what others have used, but haven't returned any results (errors).&nbsp; So im not really sure if I'm doing this correctly.&nbsp; I've noticed that some examples have their python scripts output to a .csv?&nbsp; is that necessary?&nbsp; should I approach this another way?</P> <P data-unlink="true">BLUF:&nbsp; I want to pass some fields into a python script to give me a calculated hash in a new field.</P> <P data-unlink="true">&nbsp;</P> <P data-unlink="true">&nbsp;</P> Tue, 06 Oct 2020 20:43:13 GMT https://community.splunk.com/t5/Splunk-Dev/Need-help-creating-an-external-lookup-with-Python/m-p/522824#M9354 andrewj84 2020-10-06T20:43:13Z